Configuring images for update¶
You can specify one or more image(s) for each application that should be considered for updates. To specify those images, the following annotation is used:
<image_spec_list> is a comma separated list of image specifications. Each
image specification is composed of mandatory and optional information, and is
used to specify the image, its version constraint and a few meta data.
An image specification could be formally described as:
Specifying the fields denoted in square brackets is optional and can be left out.
Allowing an image for update¶
The most simple form of specifying an image allowed to update would be the following:
The above example would specify to update the image
nginx to it's most recent
version found in the container registry, without taking any version constraints
This is most likely not what you want, because you could pull in some breaking
nginx releases a new major version and the image gets updated.
So you can give a version constraint along with the image specification:
The above example would allow the
nginx image to be updated to any patch
version within the
1.26 minor release.
If you use an
version_constraint will not be have any effect
and all tags returned from the registry will be considered for update. If
you need to further restrict the list of tags to consider, see
Assigning aliases to images¶
It's possible (and sometimes necessary) to assign an alias name to any given image. Alias names should consist of alphanumerical characters only, and must be unique within the same application. Re-using an alias name across different applications is allowed.
An alias name is assigned during image specification in the
annotation, for example the following would assign the alias
myalias to the
Assigning an alias name to an image is necessary in these scenarios:
If you want to use custom images with Kustomize. In this case, the name must match to what is defined in your Kustomize base.
If you need to specify the Helm parameters used for rendering the image name and version using Helm and the parameter names do not equal
image.tag. In this case, the name is just symbolic.
If you want to set custom options for a given image's update strategy, or require referencing unique pull secrets for each image
The alias you assign to any image will be reused as a key in the annotations
used to define further options, so a little care should be taken when defining
such a name. It's generally advised to use only alpha-numerical characters. The
/ (forward-slash) can be used in the name, but must be referenced
_ (underscore) in the annotation. This is a limit of Kubernetes. So for
example, if you assign the alias
argoproj/argocd to your image, the
appropriate key in the annotation would be referenced as
Argo CD Image Updater can update images according to the following strategies:
||Update to the tag with the highest allowed semantic version|
||Update to the tag with the most recent creation date|
||Update to the tag with the latest entry from an alphabetically sorted list|
You can define the update strategy for each image independently by setting the following annotation to an appropriate value:
If no update strategy is given, or an invalid value was used, the default
semver will be used.
As of November 2020, Docker Hub has introduced pull limits for accounts on
the free plan and unauthenticated requests. The
latest update strategy
will perform manifest pulls for determining the most recently pushed tags,
and these will count into your pull limits. So unless you are not affected
by these pull limits, it is not recommended to use the
strategy with images hosted on Docker Hub.
You can specify an expression that is matched against each tag returned from the registry. On a positive match, the tag will be included in the list of tags that will be considered to update the image to. If the expression does not match the tag, the tag will not be included in the list. This allows you to only consider tags that you are generally interested in.
You can define a tag filter by using the following annotation:
The following match functions are currently available:
||Matches the tag name against the regular expression
||Will match any tag|
If you specify an invalid match function, or the match function is misconfigured (i.e. an invalid regular expression is supplied), no tag will be matched at all to prevent considering (and possibly update to) the wrong tags by accident.
If the annotation is not specified, a match function
any will be used to match
the tag names, effectively performing no filtering at all.
Ignoring certain tags¶
If you want to ignore certain tags from the registry for any given image, you can define a comma separated list of glob-like patterns using the following annotation:
argocd-image-updater.argoproj.io/<image_name>.ignore-tags: <pattern1>[, <pattern2>, ...]
You can use glob patterns as described in this documentation
If you want to disable updating an image temporarily, without removing all of the configuration, you can do so by just ignoring all tags, effectively preventing the image updater to consider any of the tags returned from the registry:
Please note that regular expressions are not supported to be used for patterns.
Specifying pull secrets¶
There are generally two ways on how to specify pull secrets for Argo CD Image Updater to use. Either you configure a secret reference globally for the container registry (as described here), or you can specify the pull secret to use for a given image using the annotation
A configuration for an image will override what is configured for the registry, for that certain image.
secret_ref can either be a reference to a secret or a reference to an
environment variable. If a secret is referenced, the secret must exist in the
cluster where Argo CD Image Updater is running in (or has access to).
Valid values for
secret:<namespace>/<secret_name>#<field>- Use credentials stored in the field
pullsecret:<namespace>/<secret_name>- Use credentials stored in the secret
namespace. The secret is treated as Docker pull secret, that is, it must have a valid Docker config in JSON format in the field
env:<variable_name>- Use credentials supplied by the environment variable named
variable_name. This can be a variable that is i.e. bound from a secret within your pod spec.
ext:<path_to_script>- Use credentials generated by a script. The script to execute must be specified using an absolute path, and must have the executable bit set. The script is supposed to output the credentials to be used as a single line to stdout, in the format
<username>:<password>. Please note that the script will be executed every time Argo CD Image Updater goes to find a new version, and credentials will not be cached. If you want it to execute only once and cache credentials, you should configure this secret on the registry level instead.
In case of
envreferences, the data stored in the reference must
be in format
Custom images with Kustomize¶
In Kustomize, if you want to use an image from another registry or a completely different image than what is specified in the manifests, you can give the image specification as follows:
<image_name> will be the original image name, as used in your manifests, and
<image_path>:<image_path> will be the value used when rendering the
Let's take Argo CD's Kustomize base as an example: The original image used by
Argo CD is
argoproj/argocd, pulled from the Docker Hub container registry. If
you are about to follow the latest builds, as published on the GitHub registry,
you could override the image specification in Kustomize as follows:
Specifying Helm parameter names¶
In case of Helm applications which contain more than one image in the manifests
or use another set of parameters than
image.tag to define
which image to render in the manifests, you need to set an
in the image specification to define an alias for that image, and then
use another set of annotations to specify the appropriate parameter names
that should get set if an image gets updated.
For example, if you have an image
quay.io/dexidp/dex that is configured in
your helm chart using the
dex.image.tag Helm parameters,
you can set the following annotations on your
Application resource so that
Argo CD Image Updater will know which Helm parameters to set:
argocd-image-updater.argoproj.io/image-list: dex=quay.io/dexidp/dex argocd-image-updater.argoproj.io/dex.helm.image-name: dex.image.name argocd-image-updater.argoproj.io/dex.helm.image-tag: dex.image.tag
The general syntax for the two Helm specific annotations is:
argocd-image-updater.argoproj.io/<image_alias>.helm.image-name: <name of helm parameter to set for the image name> argocd-image-updater.argoproj.io/<image_alias>.helm.image-tag: <name of helm parameter to set for the image tag>
If the chart uses a parameter for the canonical name of the image (i.e. image name and tag combined), a third option can be used:
argocd-image-updater.argoproj.io/<image_alias>.helm.image-spec: <name of helm parameter to set for canonical name of image>
<image_alias>.helm.image-spec annotation is set, the two other
will be ignored.
Following an image's patch branch¶
Scenario: You have deployed image
nginx:1.19.1 and want to make sure it's
always up-to-date to the latest patch level within the
Solution: Use standard
semver update strategy with a constraint on the
patch level (
Always deploy the latest build¶
Scenario: Your CI regularly pushes images built from the latest source, using some identifier (i.e. the hash of the Git commit) in the tag.
Give your image a proper alias, i.e.
yourtooland do not define a version constraint.
latestas update strategy
If you just want to consider a given set of tags, i.e.
v1.0.0-<hash>, use a
Annotations might look like follows:
argocd-image-updater.argoproj.io/image-list: yourtool=yourorg/yourimage argocd-image-updater.argoproj.io/yourtool.update-strategy: latest argocd-image-updater.argoproj.io/yourtool.allow-tags: regexp:^v1.0.0-[0-9a-zA-Z]+$
Multiple images in the same Helm chart¶
Scenario: You want to update multiple images within the same Helm chart to their latest available version according to semver.
The Helm parameters to set the image version
foo.tag for the first image, and
bar.tag for the second image. The image names are
Define an alias for both images, i.e.
helm.image-tagfor both aliases to their appropriate values
Annotations might look like follows:
argocd-image-updater.argoproj.io/image-list: fooalias=foo/bar, baralias=bar/foo argocd-image-updater.argoproj.io/fooalias.helm.image-name: foo.image argocd-image-updater.argoproj.io/fooalias.helm.image-tag: foo.tag argocd-image-updater.argoproj.io/baralias.helm.image-name: bar.image argocd-image-updater.argoproj.io/baralias.helm.image-tag: bar.tag
The following is a complete list of available annotations to control the
update strategy and set options for images. Please note, all annotations
must be prefixed with
|Annotation name||Default value||Description|
||none||Comma separated list of images to consider for update|
||The update strategy to be used for the image|
||any||A function to match tag names from registry against to be considered for update|
||none||A comma-separated list of glob patterns that when match ignore a certain tag from the registry|
||none||A reference to a secret to be used as registry credentials for this image|
||none||Name of the Helm parameter to specify the canonical name of the image, i.e. holds
||Name of the Helm parameter used for specifying the image name, i.e. holds
||Name of the Helm parameter used for specifying the image tag, i.e. holds
||original name of image||Name of Kustomize image parameter to set during updates|